Heathrow fined after data leak from USB stick

Harefield Gazette - - NEWS -

HEATHROW Air­port has been fined £120,000 after a data leak, re­port­edly re­veal­ing de­tails about the Queen’s travel plans, sparked a ma­jor in­ves­ti­ga­tion.

The In­for­ma­tion Com­mis­sioner’s Of­fice (ICO) handed out the fine after a mem­ber of the pub­lic found a USB mem­ory stick which had been lost by a “rogue” mem­ber of Heathrow staff.

The con­tents, more than 1,000 files across 76 fold­ers, were viewed at a pub­lic li­brary in Oc­to­ber 2017 be­fore be­ing handed over to the Sun­day Mir­ror.

The news­pa­per said the USB stick, which was nei­ther en­crypted nor pass­word pro­tected, was dis­cov­ered by a mem­ber of the pub­lic in Il­bert Street, in Queen’s Park, west Lon­don.

It re­port­edly con­tained files re­veal­ing in­for­ma­tion such as se­cu­rity mea­sures used to pro­tect the Queen at Europe’s busiest air­port, the types of ID needed to ac­cess re­stricted ar­eas and the lo­ca­tions of CCTV cam­eras and tun­nels linked to the Heathrow Ex­press.

The ICO said it con­tained a train­ing video con­tain­ing per­sonal de­tails of 10 in­di­vid­u­als “in­volved in a par­tic­u­lar greet­ing party”, and the de­tails of up to 50 Heathrow se­cu­rity per­son­nel.

The breach forced the air­port’s chief ex­ec­u­tive John Hol­land-Kaye to sub­se­quently tell MPs se­cu­rity had not been com­pro­mised.

Fol­low­ing the fine, Steve Eck­er­s­ley, ICO di­rec­tor of in­ves­ti­ga­tions, said: “Data pro­tec­tion should have been high on Heathrow’s agenda, but our in­ves­ti­ga­tion found a cat­a­logue of short­com­ings in cor­po­rate stan­dards, train­ing and vi­sion that in­di­cated oth­er­wise.

“Data pro­tec­tion is a board­room is­sue and it is im­per­a­tive that busi­nesses have the poli­cies, pro­ce­dures and train­ing in place to min­imise any vul­ner­a­bil­i­ties of the per­sonal in­for­ma­tion that has been en­trusted to them.”

The ICO in­ves­ti­ga­tion found that only 2% of the 6,500-strong work­force had been trained in data pro­tec­tion.

Other con­cerns noted dur­ing the in­ves­ti­ga­tion in­cluded the wide­spread use of re­mov­able me­dia in con­tra­ven­tion of Heathrow’s own poli­cies and guid­ance and in­ef­fec­tive con­trols prevent­ing per­sonal data from be­ing down­loaded onto unau­tho­rised or un­en­crypted me­dia.

Heathrow car­ried out a num­ber of re­me­dial ac­tions once it was in­formed of the breach, in­clud­ing re­port­ing the mat­ter to the po­lice, act­ing to con­tain the in­ci­dent and en­gag­ing a third party spe­cial­ist to mon­i­tor the in­ter­net and dark web.

A Heathrow spokesman said: “Fol­low­ing this in­ci­dent the com­pany took swift ac­tion and strength­ened pro­cesses and poli­cies. We ac­cept the fine that the ICO have deemed ap­pro­pri­ate and spo­ken to all in­di­vid­u­als in­volved.

“We recog­nise that this should never have hap­pened and would like to re­as­sure ev­ery­one that nec­es­sary changes have been im­ple­mented in­clud­ing the start of an ex­ten­sive, in­for­ma­tion se­cu­rity train­ing pro­gramme which is be­ing rolled out com­pany-wide.

“We take our com­pli­ance with all laws ex­tremely se­ri­ously and op­er­ate within the strin­gent reg­u­la­tory and le­gal re­quire­ments de­manded of us.”

Heathrow’s own in­ves­ti­ga­tion into the mat­ter in­di­cated the data was com­piled by a “rogue” em­ployee se­cu­rity trainer, and had been lost dur­ing a com­mute to or from work.

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.